Documentation
¶
Overview ¶
Package vault owns encrypted daemon-managed secret material.
Index ¶
- Variables
- func EnvNameFromRef(ref string) (string, error)
- func IsEnvRef(ref string) bool
- func IsSecretRef(ref string) bool
- func NormalizeRef(ref string) string
- func RefMatchesPrefix(ref string, prefix string) bool
- func SecretLikeEnvName(name string) bool
- func SecretRefNamespace(ref string) (string, error)
- func SecretRefPrefixNamespace(prefix string) (string, error)
- func ValidateNamespace(namespace string) error
- func ValidateNonSecretEnvMap(path string, env map[string]string) error
- func ValidateRef(ref string) error
- func ValidateRefNamespace(ref string, namespace string) error
- func ValidateSecretEnvMap(path string, namespace string, secretEnv map[string]string) error
- func ValidateSecretRef(ref string) error
- func ValidateSecretRefNamespace(ref string, namespace string) error
- func ValidateSecretRefPrefix(prefix string) error
- type KeyProvider
- type Metadata
- type Option
- type Record
- type Service
- func (s *Service) DeleteSecret(ctx context.Context, ref string) error
- func (s *Service) GetMetadata(ctx context.Context, ref string) (Metadata, error)
- func (s *Service) ListMetadata(ctx context.Context, prefix string) ([]Metadata, error)
- func (s *Service) PutSecret(ctx context.Context, ref string, kind string, plaintext string) (Metadata, error)
- func (s *Service) ResolveRef(ctx context.Context, ref string) (string, error)
- type Store
Constants ¶
This section is empty.
Variables ¶
var ( // ErrSecretNotFound reports that a secret reference has no stored value. ErrSecretNotFound = errors.New("vault: secret not found") // ErrUnsupportedSecretRef reports that a launch binding uses an unsupported reference scheme. ErrUnsupportedSecretRef = errors.New("vault: unsupported secret ref") // ErrMissingSecret reports that a required env or secret reference resolved to no value. ErrMissingSecret = errors.New("vault: secret value missing") )
var EnvNamePattern = regexp.MustCompile(`^[A-Za-z_][A-Za-z0-9_]*$`)
EnvNamePattern is the daemon-wide grammar for environment variable names.
Functions ¶
func EnvNameFromRef ¶
EnvNameFromRef returns the validated environment variable name in an env: ref.
func IsSecretRef ¶
IsSecretRef reports whether a ref points at AGH-managed encrypted storage.
func NormalizeRef ¶
NormalizeRef returns the trimmed secret ref used by stores and resolvers.
func RefMatchesPrefix ¶
RefMatchesPrefix reports whether ref is exactly prefix or is nested below it.
func SecretLikeEnvName ¶
SecretLikeEnvName reports whether an environment variable name conventionally carries durable credential material and should be declared through secret_env.
func SecretRefNamespace ¶
SecretRefNamespace returns the first path segment for a validated vault ref.
func SecretRefPrefixNamespace ¶
SecretRefPrefixNamespace returns the first path segment for a validated vault ref prefix.
func ValidateNamespace ¶
ValidateNamespace reports whether namespace is one of AGH's durable vault namespaces.
func ValidateNonSecretEnvMap ¶
ValidateNonSecretEnvMap rejects literal env maps that appear to carry secrets.
func ValidateRef ¶
ValidateRef reports whether ref uses AGH's supported env: or vault: grammar.
func ValidateRefNamespace ¶
ValidateRefNamespace reports whether ref uses env: or the requested vault namespace.
func ValidateSecretEnvMap ¶
ValidateSecretEnvMap validates env-name to secret-ref bindings for one vault namespace.
func ValidateSecretRef ¶
ValidateSecretRef reports whether ref belongs to one of AGH's durable vault namespaces.
func ValidateSecretRefNamespace ¶
ValidateSecretRefNamespace reports whether ref is a vault ref in the requested namespace.
func ValidateSecretRefPrefix ¶
ValidateSecretRefPrefix reports whether prefix can safely filter AGH vault refs.
Types ¶
type KeyProvider ¶
KeyProvider loads the daemon-local vault encryption key.
func NewFileKeyProvider ¶
func NewFileKeyProvider(homeDir string, lookupEnv func(string) (string, bool)) KeyProvider
NewFileKeyProvider returns a non-interactive key provider backed by AGH_VAULT_KEY or a 0600 key file.
type Metadata ¶
type Metadata struct {
Ref string
Kind string
Present bool
CreatedAt time.Time
UpdatedAt time.Time
}
Metadata is a redacted vault row safe for operator-facing status surfaces.
type Option ¶
type Option func(*Service)
Option customizes the vault service.
func WithLookupEnv ¶
WithLookupEnv injects env lookup for tests and daemon composition.
type Record ¶
type Record struct {
Ref string
Kind string
EncryptedValue string
CreatedAt time.Time
UpdatedAt time.Time
}
Record is one encrypted vault row. EncryptedValue must never contain plaintext.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service resolves env-backed and vault-backed secret references.
func NewService ¶
func NewService(store Store, keys KeyProvider, opts ...Option) (*Service, error)
NewService constructs a vault service.
func (*Service) DeleteSecret ¶
DeleteSecret removes one vault-backed ref.
func (*Service) GetMetadata ¶
GetMetadata returns redacted metadata for one vault-backed ref.
func (*Service) ListMetadata ¶
ListMetadata returns redacted metadata for a ref prefix.
type Store ¶
type Store interface {
PutVaultSecret(ctx context.Context, record Record) error
GetVaultSecret(ctx context.Context, ref string) (Record, error)
ListVaultSecrets(ctx context.Context, prefix string) ([]Record, error)
DeleteVaultSecret(ctx context.Context, ref string) error
}
Store persists encrypted vault records.
Source Files